W32/Sobig.F virus header

Malcolm Ray M.Ray at ULCC.AC.UK
Fri Aug 22 00:39:02 IST 2003


> On Thursday 21 August 2003 11:37 pm, Malcolm Ray wrote:
>
> > I still don't see the point of adding any such header to outgoing mail,
> > other than publicity (and the past few days have shown that "there's no
> > such thing as bad publicity" isn't true).  Why should I trust any message
> > from a remote site which claims to have been scanned?  Even if it's not
> > lying, I have no way of knowing that the sending site keeps its AV
> > signatures up to date.
>
> We are not advocating that you trust a remote site.
>
> We are saying you should change your own headers to be different from
> everyone else's so that you (and your users) can trust your own headers, and
> be sure which headers were added by *your* scanner (not someone else's, or
> indeed a virus).

How can I be sure that a virus hasn't figured out what form of the header
I'm using?  As I said, it requires little more than looking in the user's
inbox.

>
> > If and when I deploy MailScanner for my users, I intend to drop that
> > header.
>
> In which case, how will your users be able to tell whether your copy of
> MailScanner decided the email was safe or not?

There are two separate issues here: incoming mail, and outgoing mail.

In the case of incoming mail, one can certainly argue that adding the header
is useful.  If the site's mail topology ensures that all mail arriving from
'outside' must pass through MailScanner, and all intra-site mail normally
does so too, the absence of the header on a message arriving in your inbox
is a danger sign.  However, if your intra-site mail doesn't pass through
MailScanner, neither the presence nor absence of the header carries any
information for such mail, as far as I can see.

In the case of outgoing mail (which is what I was talking about), the header
serves no useful purpose, except in cases where an existing trust relationship
exists between the sending and receiving sites.  I think it's a fair bet that
there'll be future viruses which use the header, possibly even adapting to
what you've set it to locally.

I have sympathy with the sites who are filtering inbound mail carrying that
header.  It's like the decision you make when filtering spam: what proportion
of false positives are you prepared to suffer?  If the vast majority of the
mail arriving at a site with that header is troublesome, it's not surprising
if they're prepared to accept the collateral damage of dropping some legitimate
mail along with it.



More information about the MailScanner mailing list